samples: matter: Adjust Matter samples to PSA SSF Crypto Service

Updated DTS files to disable fake PRNG and enable entropy from SSF crypto service. Enabled SSF Crypto Service in config overlays. Signed-off-by: Arkadiusz Balys <arkadiusz.balys@nordicsemi.no>
nrfconnect · Sep 25, 2024 · 0c46196 · 0c46196
1 parent 7c21fd6
commit 0c46196
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 12 deletions.
diff --git a/samples/matter/common/dts/nrf54h20/nrf54h20_cpuapp_peripherals.dtsi b/samples/matter/common/dts/nrf54h20/nrf54h20_cpuapp_peripherals.dtsi
@@ -24,7 +24,7 @@
 	status = "okay";
 };
 
-/* Communication between Application Core and Secure domain for SUIT */
+/* Communication between Application Core and Secure domain */
 &cpusec_cpuapp_ipc {
 	status = "okay";
 };

diff --git a/samples/matter/common/src/persistent_storage/Kconfig b/samples/matter/common/src/persistent_storage/Kconfig
@@ -13,13 +13,14 @@ config NCS_SAMPLE_MATTER_SETTINGS_STORAGE_BACKEND
 
 config NCS_SAMPLE_MATTER_SECURE_STORAGE_BACKEND
 	bool "Secure storage implementation for Matter samples"
-	select TRUSTED_STORAGE if !BUILD_WITH_TFM
-	select PSA_PROTECTED_STORAGE if !BUILD_WITH_TFM
+	select TRUSTED_STORAGE if (!PSA_SSF_CRYPTO_CLIENT && !BUILD_WITH_TFM)
+	select PSA_PROTECTED_STORAGE if (!PSA_SSF_CRYPTO_CLIENT && !BUILD_WITH_TFM)
 	help
 	  Enables secure persistent storage wrapper API, that
 	  imitates Zephyr Settings key-value data format.
 	  If building with CMSE enabled (*/ns), the TF-M
-	  PS implementation is leveraged by default.
+	  and Secure Domain PS implementation is leveraged
+	  by default.
 	  If building with CMSE disabled (cpuapp target),
 	  the Trusted Storage library must be used.
 

diff --git a/samples/matter/lock/Kconfig b/samples/matter/lock/Kconfig
@@ -142,12 +142,17 @@ endif # CHIP_WIFI
 config NCS_SAMPLE_MATTER_PERSISTENT_STORAGE
 	default y
 
+# PSA SSF Crypto Client is not ready for the secure storage backend
+if !PSA_SSF_CRYPTO_CLIENT
+
 config NCS_SAMPLE_MATTER_SECURE_STORAGE_BACKEND
 	default y if !CHIP_WIFI
 
 config NCS_SAMPLE_MATTER_SETTINGS_STORAGE_BACKEND
 	default n if !CHIP_WIFI
 
+endif
+
 # Increase the storage capacity if the schedules are enabled with secure storage
 # This also implies increasing of the OT and Matter stacks because some operations
 # performed during commissioning seem to allocate stack buffers based on the

diff --git a/samples/matter/lock/boards/nrf54h20dk_nrf54h20_cpuapp.conf b/samples/matter/lock/boards/nrf54h20dk_nrf54h20_cpuapp.conf
@@ -9,10 +9,12 @@ CONFIG_CHIP_QSPI_NOR=n
 
 CONFIG_MPU_STACK_GUARD=n
 
-# TODO: Enable PSA crypto once it is available
-CONFIG_CHIP_CRYPTO_PSA=n
-CONFIG_MBEDTLS_CIPHER_PADDING_PKCS7=y
-CONFIG_MBEDTLS_CIPHER_MODE_CBC=y
+# Enable PSA crypto from SSF client
+CONFIG_PSA_SSF_CRYPTO_CLIENT=y
+CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED=y
+
+# Disable Data Cache
+CONFIG_DCACHE=n
 
 # TODO: Enable factory data once it is available
 CONFIG_CHIP_FACTORY_DATA=n

diff --git a/samples/matter/template/boards/nrf54h20dk_nrf54h20_cpuapp.conf b/samples/matter/template/boards/nrf54h20dk_nrf54h20_cpuapp.conf
@@ -9,10 +9,15 @@ CONFIG_CHIP_QSPI_NOR=n
 
 CONFIG_MPU_STACK_GUARD=n
 
-# TODO: Enable PSA crypto once it is available
-CONFIG_CHIP_CRYPTO_PSA=n
-CONFIG_MBEDTLS_CIPHER_PADDING_PKCS7=y
-CONFIG_MBEDTLS_CIPHER_MODE_CBC=y
+# Disable Oberon PSA crypto drivers
+CONFIG_PSA_CRYPTO_DRIVER_OBERON=n
+
+# Enable PSA crypto from SSF client
+CONFIG_PSA_SSF_CRYPTO_CLIENT=y
+CONFIG_SSF_PSA_CRYPTO_SERVICE_ENABLED=y
+
+# Disable Data Cache
+CONFIG_DCACHE=n
 
 # TODO: Enable factory data once it is available
 CONFIG_CHIP_FACTORY_DATA=n